Schrems vs. DPC Battle Heats Up, as New Document Suggests Irish Privacy Body Tried to Weaken GDPR
The privacy campaigner Max Schrems has been doggedly fighting to force Facebook to respect EU users’ privacy for nearly a decade now. As this blog has reported, there have been many twists and turns in the saga. Earlier this year, it seemed that the key player responsible for enforcing the protection of Facebook users in the EU, the Irish Data Protection Commission (DPC), was finally about to deliver its decision on Facebook’s EU-US data flows. But there was another major plot twist in October, when Schrems’ organization NOYB (“none of your business”) published a draft version of the DPC’s decision.
It contained a bombshell: according to NOYB, “In the DPC’s view Facebook can simply choose to include the agreement on data processing in a “contract”, which would make the GDPR requirements for “consent” not apply anymore.” Although that sounds innocuous enough, it effectively guts one of the key features of the GDPR. The Norwegian data protection authority has said that the right to privacy and data protection would cease to exist if the DPC draft decision is allowed to stand. Schrems explains:
It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract’. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions
Schrems points to research that NOYB commissioned on the issue. It showed that 64% of the 1000 Facebook users questioned by a market research company thought that the usual requirement to accept Facebook’s terms and conditions was in fact asking for GDPR agreement. They had not, therefore, given real “consent” under the GDPR, but Facebook – and the DPC – argued that agreeing to its terms and conditions could override the GDPR.
The DPC was not happy that NOYB released the draft version of its decision. Two days later, the DPC sent a letter requiring NOYB “to remove the draft decision from your website forthwith, and to desist from any further or other publication or disclosure of same”. Schrems’ organization refused on a variety of grounds, including the fact that the original complainant is a party before the Austrian Data Protection Authority (DPA), under Austrian law, which does not limit the use of such documents in any way. Schrems said that the relevant law that applies to the complainant had been discussed and confirmed by the Austrian DPA. If the DPC wanted to try to enforce a legal obligation to remove the materials, Schrems wrote: “we are very much looking forward to having this matter decide[d] in the relevant courts of law in Austria”.
Instead, the DPC demanded that NOYB should draft and sign a “non-disclosure agreement” within “one working day”, in the absence of which the DPC would not hear the complainant in the future. Once more, Schrems was not only unabashed, but went on the attack:
The DPC engaged in procedural blackmail. Only if we shut up, the DPC would ‘grant’ us our legal right to be heard. We have reported the incident to the Austrian Office for the Prosecution of Corruption. This is a regulator clearly asking for a ‘quid pro quo’ to do its job, which likely constitutes bribery in Austria.
The surprises didn’t end there. In the last few days, another draft document has been released by NOYB with the title “Guidelines on the application of the contractual necessity basis for processing under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects”. It suggests that Ireland’s DPC tried to make its view that contracts could be used to override GDPR protections part of the official European Data Protection Board (EDPB) guidelines on how the GDPR should be applied to things like social networks. A key section of the 2018 draft reads:
ln the context of online services, the EDPB notes that many companies are now funded by the sale of online behavioural advertising, based on the tracking and profiling of service users. In order for such processing to fall within the scope of Article 6(1)(b) [of the GDPR], the terms of the agreement entered into between the parties must clearly indicate that behavioural tracking, monitoring, profiling or personalisation constitutes an element of the contract. When entering into such a contract, it should be clear from the terms agreed that the user’s personal data will be processed for the purposes of serving them individualised advertisement.
The comments from the other national data protection authorities, on one section in particular, are forthright, to say the least: “Disagree. This reduces the GDPR to a proforma instrument.” Another reads: “Disagree. We believe this is not the case.” A comment on a related section of the draft called it “contrary to everything we believe in”, and added: “According to the GDPR, the processing must be necessary for the performance of a contract. In other words, it must not be possible to provide a contract or service without the processing. Is it possible to provide social media accounts without tracking and profiling? Yes, in fact it is. Therefore, tracking or profiling is not necessary for the performance of that contract.”
This view prevailed in the final version of the EDPB guidelines. But the possibility that the Irish DPC was pushing for the guidelines to say that contracts could trump the GDPR in this way – an allegation that the DPC for its part calls “utterly untrue” – is troubling. It would be bad enough that any of the EU’s data protection authorities were seeking to hollow out GDPR protections in this way. But if it came from the body responsible for policing in Europe most of the world’s leading online services, that would make it even more concerning. A leading EU politician, Sophie in ‘t Veld, has already called for the European Commission to “start action against Ireland NOW!”.
Featured image by Georg Molterer.